When technology is mentioned in information security, it’s usually in reference to things like antivirus or anti-malware software, secure access doors, alarms, specialist software, etc.
All of this technology has one thing in common: people.
Technology is only effective if it’s implemented correctly, and that relies on people. Unfortunately, people can be careless and develop bad habits, some of which are due to lack of care or lack of direction.
Here’s a brief example I witnessed recently – minus the identifiable information, of course.
I was in an organisation’s office filling out a form that contained my personal data and payment information – note that this small office is easily accessible to the public – my form was then put into a cabinet, which was locked. The employee then said, “We’ll keep this in here for now until it’s processed; it’s a locked cabinet, so it’s secure.” – he then placed the key on top of the cabinet.
Long story short, I went elsewhere and took that form with me.
It will end in tears
The above story doesn’t involve any form of electronic technology, and the member of staff was still unable to use the piece of equipment correctly. He’s not an idiot, he just hasn’t been given adequate training, which has led to the loss of a customer, and I fear next time it’ll be a loss of customer data.
People need a process
If your organisation has made the correct decision to implement effective information security, then be sure to involve people and processes. Information security can be divided into three equal parts:
The three are of equal importance, but they all rely on each other. Without people, who will correctly implement effective technology (or put keys in secure places)? Without technology, how will you keep the bad guys out? Without process, who will know who’s doing what?
The concept is easy to grasp and, once you’ve grasped it, then you’ve taken the first step to implementing information security best practice: ISO27001.
ISO27001 takes people, process and technology and pieces them together to create an effective information security management system (ISMS) encompassing the whole organisation.
Our ISO 27001 information page has a trove of useful information to help you gain a better understanding of ISO 27001.